Sometimes you need a user to run a daemon/service, and you want them to have as little power as possible (in case the service is hacked in some way). This script is what I have used - almost entirely copied from "Securing Debian Manual: Chapter 9 - Developer's Best Practices for OS Security" https://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html